| ▲ | booi 2 hours ago | |
Where would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint? | ||
| ▲ | mananaysiempre an hour ago | parent | next [-] | |
Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over. Relatedly, a common exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request. | ||
| ▲ | tptacek 2 hours ago | parent | prev | next [-] | |
It depends on where you allow the substitution to occur in the request. It's basically "the big bug class" you have to watch out for in this design. | ||
| ▲ | ptx 2 hours ago | parent | prev | next [-] | |
How does the API know that it's a secret, though? That's what's not clear to me from the blog post. Can I e.g. create a customer named PLACEHOLDER and get a customer actually named SECRET? | ||
| ▲ | Tepix 2 hours ago | parent | prev [-] | |
HTTP Header Injection or HTTP Response Splitting is a thing. | ||